It is well-known that simple, accidental BGP configuration errors
can disrupt Internet connectivity. Yet little is known about the frequency
of misconfiguration or its causes, except for the few spectacular
incidents of widespread outages. In this paper, we present
the first quantitative study of BGP misconfiguration. Over a three
week period, we analyzed routing table advertisements from 23
vantage points across the Internet backbone to detect incidents of
misconfiguration. For each incident we polled the ISP operators
involved to verify whether it was a misconfiguration, and to learn
the cause of the incident. We also actively probed the Internet to
determine the impact of misconfiguration on connectivity.
Surprisingly, we find that configuration errors are pervasive, with
200-1200 prefixes (0.2-1.0% of the BGP table size) suffering from
misconfiguration each day. Close to 3 in 4 of all new prefix advertisements
were results of misconfiguration. Fortunately, the connectivity
seen by end users is surprisingly robust to misconfigurations.
While misconfigurations can substantially increase the update
load on routers, only one in twenty five affects connectivity.
While the causes of misconfiguration are diverse, we argue that
most could be prevented through better router design.
Presents the first systematic study of BGP configuration
errors that propagate across the backbone of the Internet.
Focuses on two kinds of globally visible misconfigurations:
Origin misconfiguration: the accidental insertion of routes into the global
The following kinds of origin misconfiguration are detected:
Self-deaggregation: an origin deaggregates one of its
Related origin: an existing prefix (or subset) is
advertised by a new but related origin (one of the origins appears
in the AS path of the other)
Foreign origin: an existing prefix (or subset) is
advertised by a new and unrelated origin
Export misconfiguration: the accidental propagation of routes that
have been filtered. These are detected using Gao's algorithm for
discovering peering relationships (see References). AS paths with
short-lived subpaths that violate the valley-free condition or contain
multiple peering edges are detected as probable misconfigurations.
Presents heuristics to find misconfigurations in the stream of BGP updates
obtained from e.g. Routeviews.
Finds that 200-1200 prefixes, (0.2-1% of the global table size), suffer from
misconfiguration each day, i.e. about 3 in 4 of new route announcements per
day are the result of misconfiguration.
These results are likely a (significant) underestimate of the actual level of
misconfiguration, since only the following misconfigurations are considered:
lasting less than a day
of certain types
observable through Routeviews
Also analyzes the impact of misconfigurations on Internet connectivity by
actively probing paths that are suspected faulty. Connectivity is robust to
most misconfigurations, affected in only 4% of the misconfigured
announcements or 13% of the misconfiguration incidents. However, routing
load due to misconfigurations was more than 10% of the total update load for
2% of the time. On at least one occasion it exceeded 60% of the total update
load (with 15 minute averaging).
To validate the results and compile a list of causes of misconfiguration an
email survey among operators involved in incidents is used. The causes are
diverse, and not limited to human slips. The most serious causes (in terms
of the number of prefixes affected) of misconfigurations are:
Configuration features such as redistribution.
Initialisation bugs. While a router is rebooting or filters are being
updated a router may leak more specific prefixes pending filters taking
effect. One of the reasons behind this appears to be a bug in the software
of a major router vendor.
Reliance on upstream filtering.
Argue for changes in router and protocol design that would eliminate or
reduce the likelihood of observered errors or minimise their impact:
high-level policy specification as part and parcel of routers
automated verification of configuration
transactional semantics for configuration commands
Analyzes BGP updates from RouteViews using 23
different vantage points in 19 different ASes over a period
of 21 days (from 26 Dec 2001 to 15 Jan 2002). Changes that last less than a
day are used.
Email survey among operators involved in incidents to verify and determine
the cause of incidents. Email addresses were obtained from Internet routing
registries. A large portion of the addresses proved invalid for various
Active probing of the Internet to determine the impact of misconfigurations
on connectivity. Public traceroute
servers were used. Normally responsive IP addresses (obtained
from Skitter) were probed during apparent misconfiguration.